On 10/20/2014 12:11 AM, Tim Goddard wrote:
Hello all,
We have an established OpenStack cloud and as part of a round of security
hardening would like to add some additional restrictions on the use of "admin"
permissions.
In particular, we would like to limit it so that API endpoints requiring admin
access can only be used from a VPN (known range of source IP addresses). We do
not want the public-facing APIs to expose these endpoints, even to users with
the right credentials.
Has anyone already been through a similar process and have a method or advice
for us to follow?
From a Keystone perspective, what you want to do is to user the "admin"
and "main
configuration to have each mapped to different interfaces on the HTTPD
server machine don't try to do this with Eventlet, as Eventlet alone
doesn't support it.
You'll have to decide what you want to do about Horizon, as the Admin
operations on Keystone from Horizon are RBAC controlled. You could run
two different Horizon instances, one internal and one external, and give
each a seaprate Auth URL. Then the Admin port would be hidden from
Horizon, but I think the admin fields wouls still show up on the Horizon
portal, just be non-functional. I'll let some Horizon folks chime in
with how to deal with that.
Unfortunately, each service defines these things a little differntly,
and not all fo them run in Eventlet. For the ones that run in Eventlet,
you'll need to use some form of termination in front of them to bind to
different interfaces.
Cheers,
Tim
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
